By Glenn Fleishman

May 18, 2026 10:00 AM PT

FileVault keys can’t be escrowed in iCloud anymore

If you’ve enabled FileVault before macOS 26 Tahoe and used the option to escrow your key in iCloud, as of 26.4, you’ll be forced to migrate to a new, better, more secure method. Jason Snell just noted this update in his post about refreshed security. I wrote last September about how Tahoe shifted to storing the last-ditch account Recovery Key in Passwords starting with macOS 26.

In that column, I explained, “Your previous choices are preserved. If you wrote the key down or used iCloud escrow, this remains in place.” This is no longer the case! That article remains accurate and provides all the background and insight you need on using FileVault and the role of the Recovery Key.

However, when faced with the upgrade, you may appreciate a few tips and some advice.

You may not need FileVault

FileVault is not necessary for everyone. Apple encourages it, but enabling FileVault increases the odds that you might be locked out of your Mac forever should something go wrong. What is that something? If I could predict that, I wouldn’t be any richer, but you’d all be happier, as would Apple.

The something arises from FileVault’s two-part boot process, which uses a thin layer that requires a Mac account password to unlock your drive. There’s an “opportunity,” shall we say, for that data to corrupt for whatever reason. The Recovery Key bypasses the password requirement, uses a long code stored securely to let you in, and then resets your password.

You might also somehow forget your login password! Unlikely, but I have had times in the past when I used only a memorized password, and my fingers kept the muscle knowledge, and my brain apparently did not. I lost the thread of it, and couldn’t remember what to enter anymore! I have taken measures to prevent this since, but it isn’t impossible.

Fail to have a password or access to your Recovery Key, and you’re locked out forever. Apple can’t recover this data.

If you don’t use FileVault, you don’t need to worry about that at all. Consider your risk profile—are you concerned that someone other than you (or an authorized person) might have physical access to your Mac, and be able to bypass macOS’s login to read the drive directly? That is a big lift for anything but motivated cryptocurrency thieves or a government. If so, FileVault is a valuable add-on, a good complement to Lockdown Mode: FileVault hardens your Mac against local attempts to get into its contents; Lockdown Mode resists many common remote methods of malicious intrusion and phishing.

If not, you can rely on built-in encryption and the physical security of someone having to get to your machine to try to crack it.

But if you like or need the protection of FileVault, perhaps because you travel with a laptop or work in a sensitive industry or carry sensitive data, read on.

Practical upgrading insight

The previous column covers all the basics and the, er, advanceds, but as you migrate, consider these items:

• Found in passwords: Recovery Key is now stored in Passwords. Search for “recovery key” or the model name listed in Settings: General: About in the Name field. (Changing the name doesn’t update the Passwords entry.) If you don’t see an entry in Passwords, try resetting FileVault (see below).

• Persistently available: The key is persistently available in the Mac interface, too, either by using Touch ID or entering your password in Settings: Privacy & Security: FileVault and clicking Show.

• Backup your backup: Because you can no longer store your key in iCloud, it is critical that you have some means of using Passwords on a 26 or later operating system version to regain access to your Mac account if your login fails. You may want to store the key in another password management system, like 1Password, if that would increase your odds of gaining access to it. If you can’t use your password to log in and you can’t access your Recovery Key, you will be locked out of that data forever.

• Older devices can’t see the key: Any of your iCloud-linked devices not yet running iOS 26, iPadOS 26, or macOS 26 will be unable to view the Recovery Key in Passwords (or equivalent in Safari in older versions of macOS).

Resetting FileVault

In my case, I’d upgraded to the new method back in 26.0, writing about it here and upgrading my book Take Control of Securing Your Apple Devices. When I went to check just now—with 26.5 installed—the FileVault view said I had FileVault enabled. However, the Show button was grayed out, and Passwords didn’t show an entry for this computer.

I fixed it in this way:

1. Disable FileVault.
2. Click Turn Off Encryption. (You may be prompted to enter your password.)
3. Enable FileVault. (You may be prompted again, but probably not.)

The entry now appears in Passwords.

Note also that Apple continues to show outdated text in this section: “FileVault secures your data by encrypting the contents of your Mac and locking your screen with a password.” All M-series Macs and all Intel Macs with a T2 Security Chip encrypt the contents of the startup drive by default. FileVault layers startup protection on top of that. So Apple may require this mandatory security change, but it fails to explain it correctly.

[Got a question for the column? You can email glenn@sixcolors.com or use /glenn in our subscriber-only Discord community.]

[Glenn Fleishman is a printing and comics historian, Jeopardy champion, and serial Kickstarterer. His latest book, which you can pre-order, is Flong Time, No See. Recent books are Six Centuries of Type & Printing and How Comics Are Made.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.